SMS Bombing Operation Exposed After Discovery of a Leaky Database

Unsecured cloud databases have emerged as a growing cyber threat to users’ privacy. From the beginning of this year, we have heard of numerous incidents exposing data via unsecured databases. Once again, another similar report surfaced online however, this security incident not only exposed data but also unveiled a massive SMS bombing operation.

Database Exposing SMS Bombing Operation

Security researcher Bob Diachenko, who recently made back-to-back discoveries of unprotected databases, has spotted another public MongoDB instance. The database allegedly exposed information about a massive SMS bombing operation. Diachenko has discussed all his findings in his blog post.

Named ApexSMS, the unsecured MongoDB instance contained data in various folders. One such folder, named ‘leads, allegedly had 80,055,125 records. The details exposed via this folder included names, city/state/country/zip, emails (MD5 hashed), IP address, contact number and type (mobile or landline), and carrier network (for mobile numbers).

Scratching the surface further revealed that the database name ‘ApexSMS’ was an SMS bombing program advertised on black hat forums.

Suspected Spamming Operation

As stated in his report, the researcher also noticed spam activity from the exposed information.

“Database also contained the messages sent to millions of people and these messages were designed to trick people into clicking links by pretending to be a referral from a friend or family member.”

TechCrunch’s Zack Whittaker also looked into the matter and could confirm spamming. He found spam messages tricking the receivers to click on some link. He also confirmed the presence of more than 115,000 responses on such spam messages.

As revealed by both the researchers, one such message to trick the recipient that stated,

“this is what we was talking about last night.”

They could also find the response on this text from the annoyed recipient stating,

“Nathan is married and didn’t talk to you yesterday because I his wife had this phone. Text this phone I’ll have you charged with harassment.”

Digging into the matter further hinted towards connections with an SMS marketing platform ‘Mobile Drip’ to the database. While the official ApexSMS website went down, Mobile Drip denied their link to ApexSMS or any spamming activity. In a statement to TechCrunch, they mentioned about engaging cybersecurity and legal firms to investigate the matter.

“We take compliance and data security very seriously, and we are currently investigating to determine to what extent our information has been exposed to unauthorized parties… Our servers have always been password protected, so any information that may have been acquired was done so through illegal means with the goal of harming the reputation and financial success of the business.”

The researchers could not precisely state for how long the database remained public. Nonetheless, it has now been taken offline.